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(54) Security and authentication of postage indicia 



(57) Methods and apparatus for authentication of 
postage indicia are disclosed. A secret key is read (40) 
from store and modified (42) in dependence upon post- 
age data (34) to be printed in a postage indicium. The 
modified key is then utilised (43) to generate an authen- 
tication code (35) dependent upon the postage data (34) 
to be printed. Authentication of the indicium is effected 



by reading (50) the authentication code (35) and post- 
age data (34) from the printed indicium and repeating 
the process of generating an authentication code. The 
generated authentication code is compared (56) with 
the authentication code read from the indicium. A control 
code based on a value in an accounting register may be 
included in the indicium. The value may be a value of 
postage dispensed in a determined expired period. 
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Description 

This invention relates to postage indicia printed on 

— mail items and to the provision of security and authen- 

tication of said indicia. s 

Postage meters have been utilised over a long pe- 
riod to print postage indicia on mail items, the postage 
indicia indicating that postage has been applied to the 
mail item and that accounting has been effected in re- 
spect of the applied postage. Known postage meters in- 10 
elude an electronic circuit for carrying out accounting 
functions in relation to amounts of postage charges ap- 
plied to mail item. The electronic circuit receives an input 
of a desired postage charge to be applied to a mail item, 
carries out accounting in respect of the required postage is 
charge and then operates a printer of the postage meter 
to print a postage indicium on the mail item. Generally 
the postage indicium includes at least the postage 
charge, the date on which the indicium is printed and an 
identification of the postage meter. 20 

Previously, the printer. of the postage meter com- 
prised a rotatable drum printer in which a die plate car- 
ried by the drum printed fixed invariable information of 
the indicium and settable print wheels carried by the 
drum printed variable information of the indicium. The zs 
fixed invariable information comprises a graphical pat- 
tern, a meter identification number and the originating 
postal region for the mail. The variable information com- 
prises an amount of the postage charge and the date of 
printing the indicium. 30 

The postage meter is constructed in a secure man- 
ner by being housed in a secure housing and the printing 
means which prints the indicium is constructed to work 
integrally with the meter and also is secure. Accordingly 
the indicia is printed under conditions of security and 35 
attempts to operate the meter and printer in a fraudulent 
manner in which indicia are printed in respect of postage 
amounts for which accounting has not been effected are 
prevented. 

However in order to provide additional security with *o 
respect to the postage amounts applied to mail items it 
is desirable that the indicia on the mail items include au- 
thenticating information whereby the authenticity of the 
indicia can be verified. By including this authenticating 
information it is possible, by examination of indicia on *s 
mail items, to detect indicia which are not genuine and 
purport to represent postage charges. No accounting for 
the postage charges represented by such non-genuine 
indicia will have been effected so that such indicia have 
been produced in a manner which results in fraud on the so 
postal authority or other carrier. 

Postage meters currently available are provided 
with a digital printer in place of the drum printer. The 
digital printer is controlled by the electronic circuit of the 
postage meter to print in a series of cycles a pattern of ss 
dots to form the complete indicium. It will be appreciated 
thatr whereas" the^ndiciuTnprintecJ " bylhe drum printer 
of earlier postage meters is invariable apart from the val- 



ue of postage charge and date, the digital printer of cur- 
rently available postage meters is capable of printing an 
indicium containing significantly more variable informa- 
tion: Due to th^increased flexibility and capability of dig- 
ital printers as compared with drum printers it is possible 
to print additional information in the indicium which can 
be utilised to authenticate the indicium whereby indicia 
printed in an unauthorised manner can be recognised 
and differentiated from indicia printed in an unauthor- 
ised manner by an unauthorised postage meter. 

According to a first aspect of the invention a method 
of generating an indicium for printing on an item includes 
the steps of storing a key; generating a modified key 
from the stored key in dependence upon first data to be 
included in said indicia; utilising the modified key in con- 
junction with second data to be included in the indicia to 
generate an authentication code and printing the indici- 
um, said indicium including said first and second data 
and said authentication code. 

According to a second aspect of the invention a 
method of authenticating an indicium including data and 
an authentication code for authentication of said data 
includes the steps of selecting a stored key; utilising said 
data to generate a modified key from said stored key; 
utilising said modified key and said data to generate an 
authentication code and comparing the generated au- 
thentication code with the authentication code included 
in the indicium. 

According to a third aspect of the invention postage 
meter apparatus includes means storing a secret key; 
input means for the input of postage data; electronic 
control means operative to read the secret key and to 
modify the secret key to generate a modified secret key 
in dependence upon and the postage data, said elec- 
tronic control means being operative to utilise the mod- 
ified secret key to generate an authentication code de- 
pendent upon the postage data and being operative to 
print an indicium containing the postage data and the 
authentication code. 

According to a fourth aspect of the invention a post- 
age meter includes a register storing a value of postage 
dispensed by the postage meter in a determined period 
and means to generate a control value dependent upon 
the value stored in said register and to include a code 
value dependent upon the control value in an indicium 
printed on a mail item. 

An embodiment of the invention will be described 
by way of example with reference to the drawings in 
which:- 

Figure 1 is a block diagram of a postage meter 
Figure 2 illustrates machine information included in 
an indicium printed on a mail item, 
Figure 3 is a flowchart illustrating steps carried out 
in generating authentication information to be print- 

ed in the i ndicium 

Figure 4 is a flow chart illustrating steps in authen- 
ticating a printed indicium and 
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Figure 5 is a flow chart illustrating additional or al- 
ternative steps carried out in printing a postage in- 



Referring first to Figure 1 of the drawings, the post- 
age meter includes electronic accounting and control 
means comprising a micro-processor 10 operating un- 
der program routines stored in a read only memory 
(ROM) 11. A keyboard 12 is provided for input of com- 
mands and data by a user and a display 13 is provided 
to enable display of information to the user. A random 
access memory (RAM) 1 4 is provided for use as a work- 
ing store for storage of temporary data during operation 
of the postage meter. Non-volatile duplicated memories 
1 5, 1 6 are provided for the storage of critical data relat- 
ing to use of the postage meter and which is required to 
be retained even when the postage meter is not pow- 
ered. The microprocessor 10 carries out accounting 
functions in relation to use of the postage meter for 
franking mail items with amounts of postage charges ap- 
plicable to handling of the mail items by the postal au- 
thority or another carrier. Accounting data relating to use 
• of the postage meter for printing franking indicia repre- 
senting postage charges for mail items and any other 
critical data to be retained is stored in the non -volatile 
memories 15, 16. The accounting data includes a value 
of credit, an accumulated total of value used by the me- 
ter in franking mail items, a count of the number of mail 
items franked by the meter and a count of the number 
of mail items franked with a postage charge in excess 
of a predetermined value. The value of credit may be a 
value of credit available for use by the meter and stored 
in a descending credit register. The accumulated total 
value used by the meter is stored in an ascending tote 
register, the count of items is stored in a piece count 
register and the count of items franked with a postage 
charge in excess of a predetermined value is stored in 
a large items register. Alternatively if desired, instead 
of a descending register storing a value of credit avail- 
able for use by the meter, a total value of credit entered 
into the meter may be stored in an ascending credit reg- 
ister. 

As is well known in the postage meter art, each of 
the registers referred to hereinbefore for storing ac- 
counting data is replicated in order to enable integrity of 
the accounting data to be maintained even in the event 
of a fault or termination of power to the meter during a 
franking operation. Two replications of each of the reg- 
isters are provided in each of the memory devices 15 
16. 

A motor controller 1 7 is controlled by the microproc- 
essor 10 to control operation of motors 18 driving feed- 
ing means (not shown) for feeding a mail item past a 
digital print head 19. The digital print head 19 may be 
an impact print head in which print elements are im- 
pelled selecti vely to impact with an ink ribbon to transfer 
ink to a-maH item or any otheTform of digital print head 
and for example may be a non-impact print head. It is 



preferred to use a non-impact print head such as a ther- 
mal print head operating as described hereinafter. The 
thermal print head includes a plurality of selectively en- 
eTgisable thermal printing elements 20. Sensors 21 are 
s provided to sense and monitor feeding of the mail item. 
The sensors provide signals to the microprocessor to 
enable the microprocessor to control feeding of the mail 
item and to energise selectively the thermal print ele- 
ments 20 of the print head at appropriate times as the 
*° mail item is fed past the print head. As the mail item is 
fed past the thermal printing elements 20 of the print 
head 19 during a printing operation, the microprocessor 
outputs on line 22, in each of a series of printing cycles, 
print data signals selecting those ones of the printing 
'5 elements 20 which are to be energised in each respec- 
tive printing cycle. A pulse of electrical power is supplied 
to the selected thermal printing elements from a power 
source 23 when a strobe signal is supplied by the mi- 
croprocessor on a line 24 to the print head. When print- 
20 ing a bar-code, a plurality of adjacent thermal printing 
elements are energised in selected printing cycles such 
as to print narrow and wide bars as required to represent 
data. The bars may all be of the same length in which 
case the same number of thermal printing elements are 
25 energised in each of the selected printing cycles. How- 
ever when it is desired to print bars of selected different 
lengths, the number of thermal printing elements ener- 
gised in each selected printing cycle is selected to cor- 
respond to the required length of bar to be printed. 
30 It will be appreciated, as is well known in the post- 
age meter art, that the postage meter must operate in a 
secure manner and be protected from attempts to use 
the meter fraudulently for example by utilising the post- 
age meter to print franking indicia on mail items for which 
35 no corresponding postage charge has been accounted 
for by the accounting means. Accordingly those parts of 
the postage meter required to be secured against unau- 
thorised tampering are housed in a secure housing 28. 
In so-called prepayment operation of a postage me- 
40 ter, each time a franking operation is to be performed, 
the micro-processor carries out a routine in which a de- 
termination is made as to whether the value of credit in 
the credit register is sufficient to permit the franking op- 
eration in respect of the required postage charge for a 
■« mail item to be performed. If the value of credit in the 
credit register is sufficient, the franking operation is con- 
tinued and the accounting data in the registers is updat- 
ed to account for the postage charge and the franking 
indicia is printed. However if the value of credit in the 
so credit register is not sufficient to permit the franking op- 
eration in respect of the required postage charge to be 
performed, the operation is terminated and the franking 
indicia is not printed. Where a value of credit available 
for use in franking is stored in a descending register, the 
« check as to sufficiency of the credit available is effected 
byadelermination of.whether.the postage charge is less — 

»h^n tK« -JU .._t..^ .... 



than the credit value. Where a total value of credit is 
stored in an ascending credit register the check as to 
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sufficiency of credit is effected by a determination of 
whether the total value of credit is at least equal to the 
sum of the postage amount and the accumulated total 
value in the tote register - 



In addition to the security against fraudulent at- 
tempts to print postage indicia on mail items provided 
by the secure construction of the postage meter, addi- 
tional security in respect of the postage indicia and for 
the postage amounts represented is provided by au- 
thentication data included in the indicia. The authenti- 
cation data to be printed in the indicia is encrypted. The 
postage data together with the encrypted authentication 
data information is printed on the mail item. The encryp- 
tion of the data is effected using an algorithm and a se- 
cret key so that the encrypted information is not predict- 
able from the data printed in the indicia. The validity of 
an indicium can be verified by carrying out the same en- 
crypt ion of the printed data and then comparing the re- 
sultant encrypted information with the encrypted infor- 
mation printed on the mail item. If the comparison is suc- 
cessful validity of the indicium is verified whereas if the 
comparison is not successful the indicium is regarded 
as not authentic. The process for generation of the en- 
crypted information, if desired, may be a reversible en- 
cryption process whereby the encrypted information can 
be decrypted to yield the original data. When a reversi- 
ble encryption process is used, verification of the indici- 
um may be effected by decrypting the encrypted infor- 
mation printed in the indicium and comparing the de- 
crypted information with the original data. Instead of uti- 
lising encrypted information for verification of the au- 
thenticity of the indicium a digital signature may be used. 

To facilitate verification of the validity of the indicia 
it is desirable that the data and encrypted information or 
digital signature in the indicia is of a form which is ma- 
chine readable. Accordingly the mail items can be fed 
through reading means to scan the indicia on the mail 
items and computing means coupled to the reading 
means carries out verification checks on the scanned 
indicia. Conveniently the postage data and encrypted 
authentication data are printed in a form suitable for op- 
tical character recognition or may be printed in the form 
of a bar-code. In addition to the machine readable infor- 
mation, the indicium may contain information in human 
readable form. 

Referring now to Figure 2 of the drawings, the figure 
illustrates an example of a format of postage data items 
and encrypted information in a machine readable pari 
of an indicium. The machine readable part of the indici- 
um includes postage data comprising a meter vendor's 
or meter manufacturer's identification 30 provided by a 
single digit, a postage meter identification 31 provided 
by six digits, a piece count 32 of the number of mail items 
processed by the postage meter provided by five digits, 
a date representation 33 provided by a single digit, a 
postago a mount 34 represented by a sin g le di g it and 



also Includes a mail authentication code 35 of two digits 
comprising an encryption of authentication data. If de- 



sired the order of the items of data and may be changed 
and the encrypted authentication data 35 may be a dig- 
ital sig nature in stead of encrypted information. The re p- 
resentation of date by a single digit and the representa- 
* tion of postage amount by a single digit is described in 
our pending application GB 9623936.3. The '*' symbols 
are used in the figure to separate the various items of 
data in the indicia. However in practice if desired these 
symbols may be omitted or replaced by other means the 
fo only requirement being that each data item can be dis- 
tinguished from a neighbouring data item. 

Referring to the flow chart of Figure 3, the micro- 
processor of the postage meter reads (step 40) a secret 
key stored in the non-volatile memory 15, 16 and then 
'5 modifies the secret key in a modification process. The 
modification of the secret key is effected in dependence 
upon a code generated (step 41 ) from data to be printed 
in the machine readable part of the indicium. A code 
number which may be a check digit or check digits is 
20 generated (step 41 ) from at least a part of the postage 
data and the code number is utilised in conjunction with 
an algorithm or look-up table to generate (step 42) a 
modified secret key. Thus the modified secret key will 
be unpredictable for each mail item and will vary in a 
25 random manner dependent upon the postage data. The 
modified secret key is then utilised (step 43) with an al- 
gorithm to operate on at least a part of the postage data 
to generate the machine authentication code. Then an 
indicium containing the postage data and authentication 
30 code is printed (step 44) on the mail item and the routine 
in respect of that mail Hem ends (END 45). 

Referring to the flow chart of Figure 4, when the mail 
item bearing a postage indicia including the machine 
readable part is received by a postal authority, the ma- 
ss chine readable data is read (step 50) by a machine read- 
ing device such as a scanner and the output of the scan- 
ner is input to a postal authority computer. The computer 
utilises (step 51 ) the vendor identification 30 and the 
postage meter identification 31 to access a look-up table 
40 to determine the secret key appropriate to the postage 
meter that printed the indicia on the received mail item. 
The computer then modifies the secret key in depend- 
ence upon a code generated in dependence upon the 
postage data read from the mail item, in the same man- 
& ner as the postage meter generated the modified secret 
key, to generate a modified key corresponding to the 
modified secret key generated by the postage meter. 
Thus the computer generates (step 52) the code from 
the postage data and utilises the code to generate (step 
50 53) the modified secret key. The computer then utilises 
(step 54) the modified secret key with an algorithm to 
operate on the code generated from the postage data, 
in the same manner as the postage meter, to generate 
the mail authentication code 35. The computer then 
55 compares (step 55) the authentication code generated 

in_step_54_with.me.authentication-code-read-from-the — 

mail item. If the mail authentication code generated by 
the computer corresponds (YES output of step 56) to 
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the mail authentication code read in the machine read- 
able part of the indicia printed on the mail item the post- 
age indicia is authenticated and is genuine and the mail 
— item is accepted (step 57):The authentication^ the in" 
dicium for that mail item then ends (END 58). However 
if the mail authentication code generated by the compu- 
ter does not correspond (NO output of step 56) to the 
mail authentication code read from the indicia, the indi- 
cia is not authenticated and is not genuine. The compu- 
ter then operates to reject (step 59) the mail item as 
bearing an indicia which has been printed in a fraudulent 
manner and checking authentication of the indicium on 
that mail item ends (END 58). It will be appreciated that 
if the postage meter utilises only a part of the postage 
data to generate the code to modify the key and only a 
part of the postage data to generate the authentication 
code, the computer utilises the same part or parts of the 
postage data in generating the code to modify the key 
and to generate the authentication code. 

Instead of modifying the key as described herein- 
before, or in addition to modifying the key, the data print- 
ed in the machine readable part of the indicium may in- 
clude a control value dependent upon the accumulated 
value in the ascending register of postage dispensed by 
the meter and the credit value in the credit register and, 
for example, the control value may be dependent upon 
the sum of the accumulated value and the credit value. 
The control value may be equal to the sum of the accu- 
mulated value and credit value or may be derived from 
this sum. A routine, or a sub-routine to be incorporated 
in the routine illustrated by Figure 3, for printing an ind- 
icium containing a control value is illustrated by the flow 
chart of Figure 5. After initiation (START 60) of the rou- 
tine or sub-routine, the control value is generated (step 
61) and the indicium is printed (step 62), the indicium 
containing the control a value. If desired, where the 
steps of Figure 5 are a sub-routine, the sub-routine may 
be carried out between steps 43 and 44 of the flow chart 
of Figure 3. 

The postage meter may be provided with registers 
in the non-volatile memories 15,16 which store monthly 
totals of postage dispensed by the meter. For example, 
there may be two such registers, one storing the amount 
of postage dispensed to date in a current period and 
which will continue to be incremented as postage is dis- 
pensed until the end of the current period and the other 
register storing the amount of postage dispensed in the 
period immediately preceding the current period. The 
start and finish of each period is determined by a real 
time clock 29 communicating with the microprocessor 
10. Conveniently each of the periods may be equal to 
one month. Instead of the control value being dependent 
upon the sum of the accumulated tote value and the 
credit value, the control value may be dependent upon 
the values stored in one or both of these two registers. 
Fo r example the control value may be a check di g it re- 
lating to the register storing the postage value dis- 
pensed in the preceding period or may be a range indi- 



cator related to an amount of postage predicted to be 
dispensed by the postage meter. The range indicator 
may be based on the amount of postage dispensed in 
the preceding period. 

5 It is preferred that the indicia printed on the mail item 
contains all the postage data required to enable authen- 
tication of the indicia at the postal authority. However, 
postage meters are subject to inspection at predeter- 
mined intervals either by physically taking the meter to 

to the postal authority or by remote inspection via a com- 
munication link and in the course of such inspections 
data is read from the registers of the meter. Accordingly 
one or more items of postage data additional to those 
included in the postal indicia printed on the mail item 

« may be communicated to the postal authority during 
each said inspection of the postage meter and these ad- 
ditional items of data may be utilised by the postal au- 
thority computer in authentication of the indicia printed 
on the mail items. 



Claims 

1. A method of generating an indicium for printing on 
2s an item including the steps of storing a key charac- 
terised by generating a modified key (42) from the 
stored key in dependence upon first data to be in- 
cluded in said indicia; utilising (43) the modified key 
in conjunction with second data to be included in 
30 the indicia to generate an authentication code (35) 
and printing (44) the indicium, said indicium includ- 
ing said first and second data (34) and said authen- 
tication code (35). 

35 2. A method as claimed in claim 1 wherein the first da- 
ta comprises at least one check digit generated 
from postal data (34) to be included in the printed 
indicium. 

<o 3. A method as claimed in claim 1 or 2 wherein the first 
data is the same as the second data. 

4. A method of authenticating an indicium including 
data (34) and an authentication code (35) for au- 

45 thentication of said data characterised by the steps 
of selecting (51) a stored key; utilising said data to 
generate (53) a modified key from said stored key; 
utilising (54) said modified key and said data to gen- 
erate an authentication code and comparing (56) 
50 the generated authentication code with the authen- 
tication code included in the indicium. 

5. • A method as claimed in claim 4 wherein the indicium 
includes an identification (31) and a database 
stores a plurality of identifications and keys corre- 

_sppnd ing _to. said.identif ications. and-including -the— 



steps of reading (50) the identification (31 ) from the 
indicium and utilising the read identification to select 
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(51) the key corresponding to the read identifica- 
tion. 

- 6. - Postage - mete r - apparatus - includin g - input " means 

(12) for the input of postage data (34) characterised s 
by means (15, 16) storing a secret key; electronic 
control means (10) operative to read the secret key 
and to modify the secret key to generate a modified 
secret key in dependence upon and the postage da- 
ta, in that said electronic means is operative to uti- w 
lise the modified secret key to generate an authen- 
tication code (35) dependent upon the postage data 
(34) and in that the electronic means is operative to 
print an indicium containing the postage data (34) 
and the authentication code (35). 15 

7. A postage meter including a first register (15, 16) 
storing a value of postage dispensed by the postage 
meter in a predetermined period characterised by 
generation means (10) to generate a control value 20 
dependent upon the value stored in said first regis- 
ter and to include a code value dependent upon the 
control value in an indicium printed on a mail item. 

8. A postage meter as claimed in claim 7 wherein the 
first register (15, 16) stores a value of postage dis- 
pensed in an expired period preceding a current pe- 
riod and including a second register (15, 16) storing 
a value of postage dispensed by the postage meter 
in a current unexpired period. 

9. A postage meter as claimed in claim 8 including a 
credit register (15, 16) storing a value of credit; and 
wherein the generation means (10) is operative to 
generate a control value dependent upon the value 35 
stored in the first register of postage dispensed in ' 
the determined period and the value of credit stored 

in the credit register; and means operative to in- 
clude a code value dependent upon said control val- 
ue in an indicium printed on a mail item. 40 
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